STIGQter STIGQter: STIG Summary: BIND 9.x Security Technical Implementation Guide Version: 1 Release: 8 Benchmark Date: 24 Jan 2020: Permissions assigned to the dnssec-keygen keys used with the BIND 9.x implementation must enforce read-only access to the key owner and deny access to all other users.

DISA Rule

SV-87085r2_rule

Vulnerability Number

V-72461

Group Title

SRG-APP-000516-DNS-000086

Rule Version

BIND-9X-001142

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Change the permissions of the dnssec-keygen key files:

# chmod 400 <key_file>

Check Contents

If the server is in a classified network, this is Not Applicable.

With the assistance of the DNS Administrator, identify all dnssec-keygen key files that reside on the BIND 9.x server.

An example dnssec-keygen key file will look like:

Kns1.example.com_ns2.example.com.+161+28823.key
OR
Kns1.example.com_ns2.example.com.+161+28823.private

For each key file identified, verify that the key file is owned by "root":

# ls -al
-r-------- 1 root root 77 Jul 1 15:00 Kns1.example.com_ns2.example.com+161+28823.key

If the key files are more permissive than 400, this is a finding.

Vulnerability Number

V-72461

Documentable

False

Rule Version

BIND-9X-001142

Severity Override Guidance

If the server is in a classified network, this is Not Applicable.

With the assistance of the DNS Administrator, identify all dnssec-keygen key files that reside on the BIND 9.x server.

An example dnssec-keygen key file will look like:

Kns1.example.com_ns2.example.com.+161+28823.key
OR
Kns1.example.com_ns2.example.com.+161+28823.private

For each key file identified, verify that the key file is owned by "root":

# ls -al
-r-------- 1 root root 77 Jul 1 15:00 Kns1.example.com_ns2.example.com+161+28823.key

If the key files are more permissive than 400, this is a finding.

Check Content Reference

M

Target Key

3085

Comments